Draft
| Approver: psycore
Set up SSL under Apache
tutname=SSL unter Apache|tutautor=PsyCore|tutversion=1.4|tutquelle=https://www.schirmacher.de/display/Linux/Apache+SSL+Zertifikat+erstellen
Creating the private key
root@srv-web:~# openssl genrsa -out server.key 4096 Generating RSA private key, 4096 bit long modulus .....................................................................................................................++ ...............................................................................++ e is 65537 (0x10001)
CSR request
root@srv-web:~# openssl req -new -key server.key -out server.csr -sha256 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:NRW Locality Name (eg, city) []:Neuss Organization Name (eg, company) [Internet Widgits Pty Ltd]:Some Company Organizational Unit Name (eg, section) []:. Common Name (e.g. server FQDN or YOUR name) []:www.yourdomain.com Email Address []:admin@yourdomain.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:. An optional company name []:.
Certificate provider
Apache configuration
mhost.conf or corresponding subdomain under sites-enabled:
NameVirtualHost your.server.ip.here:443
...
SSLEngine on
SSLCertificateKeyFile /etc/ssl.key/name.of.key
SSLCertificateFile /etc/ssl.crt/name.of.crt
SSLCertificateChainFile /etc/ssl.crt/name.of.ca-bundle
# The following lines stopps the BEAST attack
# more info at
# https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH
The SSL module may still need to be activated in Apache:
a2enmod ssl
Now restart and it should work:
/etc/init.d/apache2 restart